cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1839
Views
5
Helpful
4
Replies

Patching linux LMS 4.1 server

Michel Hegeraat
Level 7
Level 7

Dears,

I have a server in a very restricted environment, but SSH and SCP is permitted between my VLAN and the server, that is certain.

I configured the SCP service on the LMS server with a username and password that also happens to be a valid linux account.

When I try to upload the patch it just fails eventhough username and password are correct and target directory is pertfectly writable for the used account.

How should I get the patch on this server? How is the server able to block this? How should a network device be able to push its IOS into the server?

c:\Cust\didata\LMS4.1>"c:\Program files\putty\pscp.exe" -v -scp  lms4.1.0-Linux-CSCts156311.tar   admin@LMS41:/tmp

Looking up host "10.170.43.1"

Connecting to 10.170.43.1 port 22

Server version: SSH-2.0-OpenSSH_4.3

Using SSH protocol version 2

We claim version: SSH-2.0-PuTTY_Release_0.61

Doing Diffie-Hellman group exchange

Doing Diffie-Hellman key exchange with hash SHA-1

Host key fingerprint is:

ssh-rsa 2048 a1:ec:ec:9a:c1:45:ba:f9:ef:85:4e:db:63:4f:14:8b

Initialised AES-256 SDCTR client->server encryption

Initialised HMAC-SHA1 client->server MAC algorithm

Initialised AES-256 SDCTR server->client encryption

Initialised HMAC-SHA1 server->client MAC algorithm

Using username "admin".

Using SSPI from SECUR32.DLL

GSSAPI authentication request refused

Access denied

Access denied

admin@10.170.43.1's password:

Sent password

Access granted

Opened channel for session

Started a shell/command

Using SCP1

Connected to 10.170.43.1

Error getting tty, exiting

Server sent command exit status 1

Disconnected: All channels closed

Lost connection

c:\Cust\didata\LMS4.1>

So I created anohter user "didata" on the server and modified the SCP user and try to copy the patch to this new users home directory.

c:\Cust\didata\LMS4.1>"c:\Program files\putty\pscp.exe" -v -scp  lms4.1.0-Linux-CSCts156311.tar   didata@LMS41:/home/didata

Looking up host "10.170.43.1"

Connecting to 10.170.43.1 port 22

Server version: SSH-2.0-OpenSSH_4.3

Using SSH protocol version 2

We claim version: SSH-2.0-PuTTY_Release_0.61

Doing Diffie-Hellman group exchange

Doing Diffie-Hellman key exchange with hash SHA-1

Host key fingerprint is:

ssh-rsa 2048 a1:ec:ec:9a:c1:45:ba:f9:ef:85:4e:db:63:4f:14:8b

Initialised AES-256 SDCTR client->server encryption

Initialised HMAC-SHA1 client->server MAC algorithm

Initialised AES-256 SDCTR server->client encryption

Initialised HMAC-SHA1 server->client MAC algorithm

Using username "didata".

Using SSPI from SECUR32.DLL

GSSAPI authentication request refused

Access denied

Access denied

didata@10.170.43.1's password:

Sent password

Access denied

Access denied

didata@10.170.43.1's password:

Sent password

Access denied

Access denied

didata@10.170.43.1's password:

Sent password

Access denied

Access denied

didata@10.170.43.1's password:

Do we need to create a special user for this? How should this be done ?

Cheers,

Michel

1 Accepted Solution

Accepted Solutions

The ability to put files (like patches) on the appliance in no way affects SWIM.  SWIM will still work with SCP.  For system administration, though, you need to do the pull thing.

View solution in original post

4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

The LMS Linux appliance restricts how it grants shell access.  What you need to do is login to the restricted appliance shell using your sysadmin account.  Then enable the root shell using the "shell" command.  Once you have the root shell enabled and you have entered root mode, then you can pull the patch from another SCP server.  You will not be able to push the patch.

Thanks Joe,

Doesn't this new behavior affect my customers desire to only use SCP and SSH?

Can a device still upload it's image in anyway using SCP? I suspect from now on only if the device is the server and LMS the client.

Problem is that in SWIM I can't choose if the device is the server and LMS the client. SWIM makes that choice for me.

I assume the SWIM in LMS 4.1 is aware incoming SCP is no longer permitted?

Cheers;

Michel

The ability to put files (like patches) on the appliance in no way affects SWIM.  SWIM will still work with SCP.  For system administration, though, you need to do the pull thing.

OK,

I was asking because I noticed in LMS 4.0 the LMS server usually seems to take the role of SCP server and the device the client. 

I think I will tell my customer that LMS in the virtual appliance is more secure and that he needs an external SCP server if he wants to download upload images manually (outside of SWIM) .

Since he will not allow the server to have access to the internet, any other software updates, patches IOS's and device updates will have to go on another SCP server first anyway.

Cheers,

Michel

Review Cisco Networking for a $25 gift card